5.9

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2016-6624

GHSA ID

GHSA-mhxj-6vf8-mwv3

EPSS Score

0.54435%

CWE

Published

5/17/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-6624

CVE-2016-6624: phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention

An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2016-6624

CVE-2016-6624:

5.9

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2016-6624

GHSA ID

GHSA-mhxj-6vf8-mwv3

EPSS Score

0.54435%

CWE

Published

5/17/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phpmyadmin/phpmyadmin	composer	>= 4.6, < 4.6.4	4.6.4
phpmyadmin/phpmyadmin	composer	>= 4.4, < 4.4.15.8	4.4.15.8
phpmyadmin/phpmyadmin

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper IP validation in proxy environments using IPv6. The core issue involves two key functions: 1) checkIPAllowDeny, responsible for enforcing IP-based access rules, which failed to properly verify if the client IP (from X-Forwarded-For) was allowed when behind an authorized proxy. 2) getClientIp, which likely mishandled IPv6 address parsing from headers. This is supported by the patched commits modifying IP validation logic and the vulnerability's nature (CWE-661 - Improper Enforcement of Authorization Rules). The confidence is high as the vulnerability directly maps to IP handling functions in the authentication workflow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2016-6624: phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention

CVE-2016-6624:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.9

5.9

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2016-6624: phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI